A Good Reason To Go Full-Time SSL For Gmail 530
Ashik Ratnani writes with this snippet from Hungry Hackers: "A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers' conference in Las Vegas. Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication. Users who did not turn it on now have a serious reason to do so, as Mike Perry, the reverse engineer from San Francisco who developed the tool, is planning to release it in two weeks."
Re:Just for Google? (Score:4, Interesting)
Not quite ALL intents and purposes. If I want to change my password, I still need to know my current password. Although somebody who steals my SID can read my mail they can't change my password and lock me out.
Re:Ow ow ow. (Score:1, Interesting)
Re:Just for Google? (Score:3, Interesting)
There's a sizable portion of the general public that doesn't want to be bothered having to remember any passwords for anything. They simply want to click a button and have it work.
You'd have better luck explaining the security implications of such a system to a chimp.
Re:Just for Google? (Score:1, Interesting)
I know this is being pedantic, but you are missing a period after the quote or you should have moved it outside the quotes. The urge is too strong since you seem to be so happy harping on missing periods...
Why can't the whole web be HTTPS? (Score:5, Interesting)
I can understand that back in the web's "stone age" (mid 1990s), having HTTPS for every web site would have seriously slowed down all the computers due to CPU usage, but nowadays is there any real good reason that the whole web can't be HTTPS?
With all the government and ISP snoopings going on, I'm surprised that at least some sites haven't gone that way.
(or is it that embedded browsers like on cell phones can't do SSL?)
TDz.
Re:But it was NOT secure... (Score:1, Interesting)
isnt gmail the only webmail provider that offers this? Why are you not complaining about hotmail, yahoo, etc.
Why does he need to release the tool? (Score:2, Interesting)
By releasing this tool he will make it available for anyone with bad intentions to implement it. Weeks later we will have issues all over the place because we did not teach our grandparents to enable the checkbox in gmail; or the vulnerability is exploited in other webmail clients. By then, the botnets will be hijacking Gmail accounts to send Spam to everybody
So, really, who benefits of the release of this tool?
Re:Why does he need to release the tool? (Score:3, Interesting)
Google, etc., were notified of this vulnerability a year ago and have not acted on it. Someone with bad intentions could implement it easily using the description of the vulnerability anyway -- a publicly-available working tool will highlight the importance of fixing this problem.
Cache relevancy depletion (Score:4, Interesting)
One thing that I find somewhat counterproductive is that browsers do not save files sent over SSL in their caches.
It's sensible, I suppose, to assume that if something's sent over an SSL channel that it's sensitive and therefore shouldn't be saved, but it would give a speed and bandwidth efficiency hit which would deter usage of SSL for everyday browsing.
You could, of course, have the HTML transmitted over SSL and the supporting images over plain HTTP, but then the browser will scare people by warning that not all content on the page is secure..
I think browsers should start looking at encrypting their cache files, so that stuff such as SSL can be accommodated without breaking caching.
Re:Why can't the whole web be HTTPS? (Score:2, Interesting)
Re:A few notes... (Score:5, Interesting)
Mike Perry did a great public service by making this tool and making it available.
WTF? No he didn't. Pointing out the vulnerability is a a public service, yes. Giving a talk where he outlines the problem? Also a public service. Distributing the means for anyone to make use of this vulnerability (ESPECIALLY when so many major vendors aren't prepared for it yet) is not a public service anymore. It's just arming script kiddies. Ralph Nader was able to do plenty of good without going around ramming into Chevy Corvairs to somehow "drive home" the need for a fix.
Gmail but not hosted mail (Score:3, Interesting)
"Last week, Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, not just authentication."
Unfortunately not available for anyone who has their own domain's email hosted at google :(
Re:Just for Google? (Score:3, Interesting)
But if a site is not signed at all, then it must be safe, huh?
An unencrypted site is less dangerous than a self-signed one because the former isn't advertising that it's safe; the latter is. It's presenting the appearance of security, with the reality of none. You're much better off thinking you're insecure, and acting appropriately, than assuming you're secure, and not realizing you've just given your bank account information to a phisher.
Re:Just for Google? (Score:4, Interesting)
So why the fuck haven't I had mod points? This might be one of the most interesting things I've read on /. in a long time. If ever.
Yeah, so sue me. I don't get out much.
Re:Just for Google? (Score:3, Interesting)
Easy. The lexicogrammar of "begs the question" makes far more sense in its common usage as being synonymous with "raises the question." Some situation seems to be begging for someone to ask a particular question. The original meaning of this idiomatic expression, having to do with circular logic, does not as clearly follow from the individual meanings of those words. Also, to be honest, I have never, ever heard a usage of the original meaning. Ever.
I am an applied linguist by training and trade, and you know what? I have heard this "incorrectly" used at conferences. Face it. The meaning has changed. No one even knows what the original was.
"Intensive purposes" is different because it makes no sense. When we say "for all intents and purposes," we are making a large, sweeping, general claim. This is the opposite of what is implied by "intensive purposes," which would denote some sort of specific, focused usage of whatever it is we're talking about.
Also, someone who uses "intensive purposes" needs their hearing checked. There is no /v/ in there. When someone uses "intensive purposes," it implies that they not only don't listen closely but that they also don't even think about what they are saying. It implies a sort of illiteracy. It does not reflect well on someone's education, because educated people do not talk like that.
Educated people do, however, use "begs the question" "incorrectly." So it gets a pass.
Language is one of the clearest tribal identifiers. Standard usage identifies to others that you are the same tribe and affords you the benefits thereof. We can yammer on about elitism, but that's just plain how it works. In every society. Learning to use language in a standard way tells others who have done the same that you are brethren and, like them, have spent the time and effort "correcting" your behavior.
None of this is really about "correct" usage, it's about "standard" and "accepted" usage. "Begs the question" passes; "intensive purposes" doesn't. The former is an interesting evolution of the usage of an idiomatic phrase; the latter, indication that someone is kinda a moron.
Re:Just for Google? (Score:3, Interesting)